You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Jun 5, 2023. It is now read-only.
The Forseti CSCC Connector finding details page can display the project and asset at the top of the page. This will provide a link to more information on the resource, including the resource data.
Proposed Solution
The CSCC supported resource name is very similar to the CAI resource name. The CAI resource name is already stored in the gcp_inventory table, and the resource_name in the violations table should be the same (this needs to be confirmed).
The CSCC format is slightly different than the CAI format:
Cluster:
- CAI Format: //container.googleapis.com/projects/%s/(zones|regions|locations)/%s/clusters/%s
- CSCC Format: //container.googleapis.com/projects/%s/zones/%s/clusters/%s
Docker Image (Strip prefix):
- CAI Format: //containerregistry.googleapis.com/us.gcr.io/...
- CSCC Format: us.gcr.io/...
ALL Compute Types:
- CAI Format: //compute.googleapis.com/.../compute-asset-display-name
- CSCC Format: //compute.googleapis.com/.../compute-asset-numerical-id
Managed Zone and Policy:
- CAI Format: //dns.googleapis.com/projects/project-asset-display-name/...
- CSCC Format: //dns.googleapis.com/projects/project-asset-numerical-id/...
Clusters
For the clusters, CSCC is expecting the zone to always be included in the resource name (not location or region). The cluster zone should be available in the resource_data from the violation.
Docker Images
This should be pretty straight forward, just strip the domain from the resource_name.
Compute
Will need to get the number from the resource_data and replace the id. Do the project ids needs to be replaced with the project numbers (along with folders and any other resource that is in the hierarchy)?
DNS zone and policy
Need to replace the name with the id.
Questions
How to handle IAM policy?
Implementation Details
Forseti currently sends the resource full_name as the resource_name parameter to CSCC. This line will need to be changed to use the resource_name property of the violation instead, e.g. violation.get('resource_name'). Depending on the resource type, some modifications to the resource name will need to be made to align with the above.
Acceptance Criteria
Verify that the CSCC integration is still working and that the finding details page shows the project and asset.
The text was updated successfully, but these errors were encountered:
Hi @zachahuy02, thanks for the feedback. We are looking to include the severity for Config Validator violations in this ticket: #3522. Can you provide more info on what description you are referring to? Are you referring to the violation_message from the Forseti violations table?
Story
The Forseti CSCC Connector finding details page can display the project and asset at the top of the page. This will provide a link to more information on the resource, including the resource data.
Proposed Solution
The CSCC supported resource name is very similar to the CAI resource name. The CAI resource name is already stored in the gcp_inventory table, and the resource_name in the violations table should be the same (this needs to be confirmed).
The CSCC format is slightly different than the CAI format:
Clusters
For the clusters, CSCC is expecting the zone to always be included in the resource name (not location or region). The cluster zone should be available in the resource_data from the violation.
Docker Images
This should be pretty straight forward, just strip the domain from the resource_name.
Compute
Will need to get the number from the resource_data and replace the id. Do the project ids needs to be replaced with the project numbers (along with folders and any other resource that is in the hierarchy)?
DNS zone and policy
Need to replace the name with the id.
Questions
Implementation Details
Forseti currently sends the resource full_name as the resource_name parameter to CSCC. This line will need to be changed to use the resource_name property of the violation instead, e.g.
violation.get('resource_name')
. Depending on the resource type, some modifications to the resource name will need to be made to align with the above.Acceptance Criteria
Verify that the CSCC integration is still working and that the finding details page shows the project and asset.
The text was updated successfully, but these errors were encountered: